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User control points in a network environment 



The present invention generally relates to the field of security in a network 
environment. The present invention more particularly relates to a method, apparatus, 
computer program product and computer program element for creating a control point 
associated with a user in a computing environment having a network connectivity model, a 
5 method, apparatus, computer program product and conqputer program element for accessing 
services provided by a device in such an environment, as well as to a network of computing 
devices including such apparatuses. 

10 In the field of networking the connectivity model used is often UPnP 

(Universal Plug and Play). This standard defines entities such as control points, devices and 
security consoles. A device is here a physical entity that has a set of services it offers to 
different elements of the network, where a security console determines the rights for such 
elements regarding such a device. A control point can then be allowed to use the services of 

15 the device in case the security console has granted the control point access rights. In this 
environment a control point can be inrovided in the same or in a different physical entity as 
the device is provided in. The same qiplies to the security console, which can be provided in 
the same entity as the physical device. It can also be provided for different devices. Hiese 
^es of entities are described in more detail in '^ome Network Security" by Carl M. 

20 Ellison, latel Technical Journal, VoL 6, Issue 4, page 37 - 48, November 1 5, 2002. 

There is however a problem associated with the known type of control points 
andlhatisthatthey are device dq)endent This means that a control point is associated with a 
first device or machine connected in a network, vAAdb is trying to get access to a service in a 
second device. There can however be a need for allowing different types of rights in relation 

25 to devices in dqpendence of the person wanting to access the device. This is today not 

possible in the UPnP environment All persons trying to get access to a device via a control 
point will then have the same rights, which might not be in the interest of the owner of the 
device to which a user is getting access. 
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There is therefore a need for a solution allowing users different rights 
independently of the point of access and without having to change the connectivity model 
used. 



It is an object of the present invention to allow different ri^ts to users in 
relation to devices in a confuting environment having a networking connectivity model 
independently of the point of access and without having to change the connectivity model 
used. 

According to a first aspect of the present invention, this object is achieved by a 
method of creating a control point associated with a user for a computing environment having 
a networking connectivity model and comprising the steps of: 

generating a control point identity for the user based on a public key 
-associated with the user, - - 

providing at least basic control point ftmctionalities, and 

storing the control point identity and the functionalities as a control point, such 
that the user can operate any device he is allowed to in the computing environment from any 
physical entity where the control point is enabled. 

According to a second aspect of the invention, this object is also achieved by a 
method of accessing services provided by a device in a computing environment having a 
networking coimectivity model and comprising the steps of: 

identifying a user wanting to access services at a point of access for the user to 
the computing environment by using a control point identifier, 

determining if there is a control point associated with the user existing at the 

point of access, 

copying, if there is no such control point at the point of access, the control 
point to the point of access, 

activating the control point, and 

connecting the control point with a device, such that the user can access 
services from the device in dqiendence of the rights granted to him. 

According to a third aspect of the present invention, this object is also 
achieved by an apparatus for creating a control point associated with a user m a computing 
environment having a networking connectivity model and arranged to: 



PHNL031313EPP 



.3 05.11.2003 
generate a control point identity for the user based on a public key associated 

with the user, 

provide at least basic control point functionalities, and 

store the control point identity and the functionalities as a control point such 
that the user can operate any device he is allowed te in the computing environment jSrom any 
physical entity where the control point is enabled. 

According to a fourth aspect of the present invention, the object is also 
achieved by an apparatus for accessing services jwrovided by a device in a computing 
environment having a netvsrorking coimectivity model and arranged to: 

identify a user wanting to access services at a point of access for the user to 
the computing environment by using a control point identifier, 

determine if there is a control point associated with the user existing at the 
point of access, 

copy, if there is no such control point at the point of access, the control point 
to the point of access, 

activate the control point, and 

connect the control point with a device, such that the user can access services 
fiom the device in dependence of the rights granted to him. 

According to a fifth aspect of the present invention, the object is also achieved 
by a network of computing devices using a networking connectivity model and conoprismg: 

an apparatus for creating a control point associated with a user and arranged 

to: 

- generate a control point identity for the user based on a public key associated 

with the user, 

- provide at least basic control point fimctionalities, and 

- store the control point identity and the fimctionalities as a control point such 
that tbe user can operate any device he is allowed to in the computing environment fix)m any 
phj^cal entity where tlie control point is enabled, and 

an apparatus for accessing services provided by a device and arranged to: 

- identify a user wanting to access services at a point of access for the user to 
the computing environment by using a control point identifier, 

- determine if there is a control point associated with tlie user existing at die 
point of access. 
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. copy, if fliere is no such control point at Hie point of access, the control point 

to the point of access, 

- activate the control point, and 

- connect the control point with a device, such that the user can access services 
from the device in dependraice of the rights granted to hun. 

According to a sixth aspect of the present invention, this object is also 
achieved by a computer program product for creating a control point associated with a user in 
a computing environment having a networking connectivity model, con^sing a computer 

readable medium having thereon: 

conqmter program code means, to make the computer execute, when said 

program is loaded in the ccrcputer: 

- generate a control point identity for the user based on apubUc key associated 

with the user, 

_ provide at least basic control point functionaIities,.and _ -- 

- store the control point identity and the functionaKties as a control point such 
that the user can operate any device he is allowed to in the computing environment fixMn any 
physical entity where the control point is enabled. 

According to a seventh aspect of the present invention, this object is also 
achieved by a computer program product for accessing services provided by a device in a 
computing environment having a networking connectivity model, comprising a computa: 

readable medium having thereon: 

computer program code means, to make the computer execute, when said 

program is loaded in the computer: 

- idsaitify a user wanting to access services at a point of access for the user to 
the conq)udng environment by using a control point identifier, 

- determine if there is a control point associated with the user existing at the 

point of access, 

- copy, if there is no such control point at the pomt of access, the control point 

to the point of access, 

_ activate the control point, and 

- connect the control point with a device, such that the user can access services 
from the device in dependraice of the rights granted to him. 

Accordmg to an ei^t aspect of the present invention, this object is 
furthermore achieved by a counter program element for creating a control point associated 
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with a user in a computiiig eaviromnent having a networking connectivily model, said 
computer program element comprising: 

computer program code means, to make the computer execute, when said 
program element is loaded in the computer: 
S - generate a control point identity for the user based on a public key associated 

with the user, 

- provide at least basic control point functionaliti^, and 

- store tbe control point identity and the functionalities as a control point such 
that the user can operate any device he is allowed to in the computing environment firom any 

10 physical entity where the control point is enabled. 

According to a ninth aspect of the present invention, this object is also 
achieved by a conqjuter program element for accessing services provided by a device in a 
computing environment having a networking connectivity model: 

computer program code means, to make the computer execute, when said 
IS program element is loaded in the computer: 

- identify a user wanting to access services at a point of access for the user to 
the computing environment by using a control point identifier, 

- determine if there is a control point associated with the user existing at the 
point of access, 

20 - copy, if there is no such control point at the point of access, the control point 

to the point of access, 

- activate the control point, and 

- connect the control point with a device, such that the user can access services 
from the device in dependence of the rights granted to him. 

25 Claims 2, 3 and 4 are directed towards storing the control point in different 

locations. 

Claim 9 is directs towards registering a control point at a security console for 
accessing a device. 

Claims 10 and 11 are directed towards different ways of granting access to a 

30 control point 

The present invention has the advantage of allowing differentiated type of 
access to a device for a user in a computing environment having a networking connectivity 
model. The access is fiuifaermore not dependent of the entity via which a user accesses a 
device, which allows a higher degree of freedom for the user. At the same time the 
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connectivity model does not have to be changed. The invention is furtheimore easy to 
implement by just providing some additional software in addition to the one who already 
exists. 

The ^eral idea behind the invention is thus to create a control point in a 
computing environment having a networking connectivity model that is associated with the 
user and not the entity through which access to a device is obtained. Such a control point can 
then be used for accessing a device anywhere in the environment 
These and other aspects of the invention wiUbe^parentfiram and el^^ 

with reference to the embodiments described hereinafter. 



The present invention will now be e^qplained in more detail in relation to the 
enclosed drawings, where 

Fig. 1 shows ablock schematic of a number of-physical devices connected in a 

network. 

Fig. 2 shows a block schematic of an apparatus for creating and accessmg a 
control point according to the invention. 

Fig. 3 shows another block schematic of an apparatus for creating and 
accessing a control point according to the invention. 

Fig. 4 shows a block schematic of a control point, a device and security 

console, * 

Fig. 5 shows a flow chart of a method of creatmg a control point according to 

the invention. 

Fig. 6 shows a flow chart of a method of accessing services according to the 

invention, and 

Fig. 7 shows a computer readable medium in the form of a CD ROM disc for 
storing of program code for performing the inv^tion. 



Fig. 1 shows a sdiematic drawing of a computer network 10, where the 
invention can be provided. The network is in one embodiment a home network in which 
different services can be provided. Because of this the network iacludes a number of physical 
entities 12, 18, 20 and 22, of which at least some provide different services, like for mstance 
MP3 playCT, web radio, DVD player ete. To a first of the entities 12 is connected a smart card 
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reader 14 in which a smart card 16 has heen inserted. The smart card 16 belongs to a user of 
the system and includes private and public enciyption keys for use in identifying and granting 
access to the user. Networkmg is enabled by the connectivity model or standard UPriP 
(Universal Plug and Play) and^ access to different devices is enabled through the security 
5 definitions of that standard. The network is here fixed, but it is equally as well possible that it 
is wireless. 

Fig. 2 shows a block schematic of the smart card 1 6 connected to an apparatus 
12 for creating and accessing control points and comprising a control point creation and 
accessing unit 24 to which imit is connected a control point store 26. 

10 Fig. 3 shows another block schematic of the smart card 16 connected to the 

apparatus 12 for creating and accessing control points. Here the smart card 16 is 
communicating with the control point creation and accessing unit 24, which is connected to 
the control point store 26, which includes a first control point 30 as well as a second and third 
control point 32 and 34. The apparatus 12 can be split into two separate apparatuses, one for 

15 creating and one for accessing a control point, and can jfiirthermore be provided in different 
physical entities. For the sake of clarity they are here provided in the one and same entity 
though. 

The different entities in the network of Fig. 1 all have different services they 
provide like playing of MP3 files, providing Web radio, video, DVD or other types of media 

20 services. It is however possible that one entity can provide several types of services. The 

dififerent services provided are furthermore controlled by using the standard UPnP (Universal 
Plug and Play). Fig. 4 schematically shows the general functioning of UPnP. Fig. 4 therefore 
shows a block schematic of different functional entities, which communicate in a UPnP 
system, where a first control point 30 is cornmunicating with a device 38 having an action 

25 control unit 40 and an action control list 42. Also a security console 36 is included. AH these 
entities can and are communicating with each other. It should furthermore be realized that 
these entities can be provided in one and same physical entity, but they can just as weU be 
provided in di£ferent pl^ical entities. The device 38 according to UPnP has a number of 
services it jirovides in a physical entity. The control point 30 in the system can then try to 

30 access these services provided by the device 38. However the device 38 only grants access to 
a control point in dependence of settings made in relation to that control point in an action 
control list (ACL) 42. The security console 36, which can be seen as the owner of the device, 
has made fliese settings. In order for the control point 30 to get access to the fimctionalities of 
the device 38, it has to register with the security console 36. The security console 36 is 
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controlled by the owner of the device, which can be the owner of the whole netwodc. When 
the control point 30 Iherefore wants to access the device 38, it first registers with the security 
console 36, which then registers the rights granted to the control point in the ACL 42 of Ifae 
device 38 in question. Thereafter the control point 30 can control the device 38 according to 
5 the settings made in the ACL 42. In this way security is provided in the system in that a 
control point can only access the services for which the security console has granted rights. 
Here it should be realized that the device is provided in one of the entities shown in Fig. 1, 
for instance a second entity 22, whereas the control point-30 can be provided in the same^ 
entity or in another of the entities shown in Fig. 1. Similarly the security console 36 can be 

10 provided in the same entity, but it can also be provided in another of the entities shown in 

Fig. 1. The security console 36 can ftirthermore set iq) the dil^rent rights for several devices. 

Traditionally control points have been associated with different physical 
entities, which means that in Fig. 1, the first entity 12 would have one control point, a second 
entity 1 8 another control point, a third entity 20 yet another control point and a fourth entity 

15 22 another control point This means that in a known system, any user trying to access a 
service through one entity via a control point of that entity, would get access to all the 
services allowed to that entity via that control point. This is a problem in that the rights to 
access should be more linked to the user than the entity trying to access a service. The same 
entity might be used for accessing the same service by different users and it might not be 

20 desirable at all that these different users get access to the same service or to the same services 
in the same degree. 

One way of differentiating between users on a device could then be to have 
only one control point entity for a device and have credentials per user in the entity where the 
control point is provided. This would also mean that the entity having the control point 

25 manages the access rights. Access rights to a device would then be handled through using 
logical or-operations for the access rights of the individual users. 

There are a few problems with this type of solution. It is difficult to provide 
conditional rights based on logical or-operations &om a security console and tiien the entity 
where the control point is provided would now govern access rather than the security 

30 console, which would change and complicate the access management model used in UPhP. 

In order to solve this, the present invention proposes to link a control point to a 

user. 

How this can be done according to a first aspect of the present invention will 
now be described in relation to Fig. 1 , 2, 4 and 5, which latter figure shows a flow chart of a 
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method of creating a control point according to the invention. A user is first registered in the 
system. Jn order to do this a new control point associated with the user is created. This is 
done through the user using the first entity 12 and inserting his smart card 16 in the smart 
card reader 14 connected to the first entity 12. The first entity therefore is provided with a 
S control point creation and accessing unit 24, which is arranged to create the new control 
point The control point creation and accessing unit 24 therefore creates a control point 
identifier, which is based on the public key of the user and normally by making a hash of the 
public key, which key is provided to this control point creating unit by the user firom his 
smart card, step 46. Thereafter the control point creation and accessing unit 24 provides the 

10 control point with normal control point fimctionalities such as for being able to identify and 
control devices as well as to subscribe to events fix)m diflferent devices, step 48. The control 
point creation and accessing unit 24 then stores the control point identity and the 
functionalities as a control point associated with the user in the control point store 26 in the 
first entity 12, step 50. It should here be realized that a control point creation and accessing 

15 unit can be provided in any of the entities, provided they have a smart card reader. Likewise 
the control point store can be provided in any of the entities or a copy being made to all 
entities. There can fiarthermore be a special server where control points are stored, which the 
entity through which a user wants to control some device contacts to find the control point in 
question. It is also possible that the control point is stored on the actual smart card of the user. 

20 The control point identifier should however also be stored on the smart card of the user. 

A second aspect of the present invention will now be described in relation to 
Fig. 1, 3, 4 and 6, where the latter shows a flow chart of a method of accessing services 
according to the present invention. When a control point 30 thus has been registered and a 
user later wants to access some device wtdch can take place fix)m any of the entities of the 

25 system allowing access to users, the user gets in contact with the control point oreation and 
accessing unit 24 using his smart card 16 and the control point identifier. The first entity 14 is 
thus here the point of access for the user to the network. He can then log in to the netwodc 
using standard login procedures using login name and password. The control point creation 
and accessing unit 24 therefore identifies a request for access to services, step 52. The control 

30 point creation and accessing unit 24 then looks in the control point store 26 and identifies if a 
control point exists, step 54. If it does not it is copied to the entity fiiom a store somewhere 
else in the network, for instance in a control point server, step 56. Thereafter the control point 
creation and accessing unit 24 activates the control point 30 for the user so that he can 
discover and access different services of the devices in the network, step 58. If the user then 
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wants to access some or any of the devices, which devices can he found via a discovery 
phase, the control point 30 is then made to register with the security console 36 associated 
with the device 38, with vMch the user wants to get in touch, step 60, which has heen 
outlined above in relation to Fig. 4. The security console 36 then grants access to the control 
5 point 3d in a known way, step 62, which in this embodiment is done through updating the 
action control list 42 of the device 38 in question. Thereafter the control point 30 is 

connected to the device 38 for enabling access, step 64. 
The control point creation and accessing unit is preferably provided in the 

form of one or more processors together with corresponding program memory for containing 
10 the program code for performing the methods according to the invention The program code 
can also be provided on a computer program product, of which one is shown in Fig. 7 in the 
form of a CD ROM disc 66. This is just an example and various other types of computer 
program products are just as well feasible. The program code can fiirfliermore be downloaded 

to an entity or the smart card from a server, perhaps via the lntemet Anothecaltemativeis 

15 that the program code is stored on the smart card. 

It is possible that the entity in question from where the user is trying to access 
a device does not have any control point accessing unit or control point store. It is then 
possible that the user in this case can perform a remote login to an entity having such a 
control point accessing unit and access to a control point store. Li this case the user logs in to 
20 a login server of the system. 

It is ftirtheimoie possible that the identification and verification of user can be 
made according to biometrics information instead of via an ordinary login procedure using 
login name and password. This biometrics information can be based on showing the eye. 

In the above-described embodiments of the present invention rights were 
25 granted to a control point by entries in an ACL Ust of a device. It is just as weU possible to 
provide these ri^ts in the form of a ticket, which is sent to the control point and stored tiiere. 
When accessing a device, the control point then presents this ticket to the device instead of 
the device reading the ACL list 

The present mvention thus provides a control pointy which is directiy 
30 assodated vdth the user and not the entity from which he tries to get access to a device. 

Therefore it is easy for an owner of the device to differentiate access between users using the 
same interface. It is furthermore implemented vwth small additional costs and efforts without 
having to change the UPaP standard. 

The invention is thus only to be limited by the following claims. 
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CLAIMS: 



1. Method of creadng a control point (30) associated with a user in a computing 

environment having a networking connectivily model and comprising the steps o£ 
generating a control point identity for the user hased on a public key 
associated with the user, (step 46), 
5 - providing at least basic control point functionalities, (step 48), and 

storing the control point identity and the functionalities as a control point (30), 
(step 50), such that the user can operate any device (38) he is allowed to in the coniputing 
environment from any physical entity (12, 18, 20, 22) where the control pomt is enabled. 

10 2. Method according to claim 1, wherein the control point is stored on a server 

that an entity through which a user can access a device can reach. 

3. Method according to claim 1, wherein the control point is stored on a smart 
card (1 6) of the user. 

15 

4. Method according to claim 1 , wherein a replica of the control point is stored in 
each device the user can be allowed to control. 

5. Method according to claim 1, wherein the connectivity model is Universal 
20 Plug and Play. 

6. Method of accessing services provided by a device (38) in a computing 
environment having a networking connectivity model and comprising the steps of: 

identifying a user wanting to access services at a point of access (12) for the 
25 user to the computing environment by using a control point identifier, (step 52), 

determining if there is a control point (30) associated with the user existing at 
the point of acc^s, (step 54), 

ccpying, if there is no such control point at the point of access, the control 
point to the point of access, (step 56), 
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activating the control point, (step 58), and 

connecting the control point with a device (38), (step 64), such that the user 
can access services firom the device in dependence of the rights granted to him. 

7. Method according to claim 6, wherein the step of identifying comprises 

performing authentication of the user using the public key and a secret key of the user. 

8. Method according to claim 6, wherein the step of cop3nng comprises^ copying 

the control point from a known user control point store. 

9. Method according to claim 6, further comprising the steps of: 
registering the control point (30) at a security console (36) using the control 

point identifier, (step 60), and 

- granting permission to the control point regarding^at least one device (38) 

firom the security console, (step 62), such that a user can access services of the device via the 
control point. 

10. Method according to claim 9, wherein the step of granting permission 
comprises storing the control point identifier in an action control list associated with the 
device in question. 

1 1 . Method according to claim 9, wherein the step of granting permission 
comprises providing the control point with a ticket to be used for accessing services of the 
device. 

12. Method according to claim 9, fur£her comprising the step of accessing the 
services using access rights provided by a security console (36). 

13. Apparatus (1 2) for creating a control point (30) associated with a user in a 
computing environment having a networking connectivity model and arranged to: 

generate a control point identity for the user based on a public key associated 

with the user, 

provide at least basic control point functionalities, and 
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store the control point identity and the functionalities as a control point (30) 
such that the user can operate any device he is allowed to in the contputing environment from 
any physical entity where the control point is enabled. 

S 14. Apparatus (12) for accessing services provided by a device (38) in a 

computing environment having a networking comectivity model and arranged to: 

identify a user wanting to access services at a point of access (12) for the user 
to the computing environment by using a control point identifier, 

determine if there is a control point (30) associated with the user existing at 
10 the point of access, 

copy, if there is no such control point at the point of access, the control point 
to the point of access, 

activate the control point, and 

connect the control point with a device (3 8), such that the user can access 
15 services from the device in dependence of the rights granted to him. 

1 5 . Network of computing devices using a networking connectivily model and 

comprising: 

an apparatus (12) for creating a control point (30) associated with a user and 

20 arranged to: 

- generate a control point identity for the user based on a public tey associated 

with the user, 

- provide at least basic control point functionalities, and 

- store the control point identity and the functionalities as a control point (30) 
25 such that the us^ can operate any device (38) he is allowed to in the computing environment 

&om any physical entity (12, 18, 20, 22) where the control point is enabled, and 

an apparatus (12) for accessing services provided by a device and arranged to: 

- identify a user wanting to access services at a point of access (12) for the 
user to tiie conq)uting envirocutnent by using a control point identifier, 

30 - determine if there is a control point associated with the user existing at the 

point of access, 

- copy, if there is no such control point at the point of access, the control point 
to the point of access, 

- activate the control point, and 
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. connect flie control point with a device (38), such that the user can access 
services ftom the device in dependence of the rights granted to him. 

16. Con5)uter program product (66) for creating a control point associated with a 
user in a computing environment having a networking connectivity mo^^^ 

computer readable medium having thereon: 

computer program code means, to make the compute execute, when said 
program is loaded in the conoputer: - - -- - - - - 

- generate a control point identity for the user based on a pubUc key associated 

with the user, 

- provide at least basic control point functionalities, and 

- store the control point identity and the fimctionaUties as a control point such 
that the user can operate any device he is aUowed to m the computing environment ftom any 
physical entity where the control point is enabled. - - _ . . . 

17. Computer program product (66) for accessing services provided by a device in 
a computing environment having a networking connectivity model, comprising a computer 
readable medium having thereon: 

computer program code means, to make the computer execute, when said 
program is loaded in the coiKq>uter: 

- identify a user wanting to access services at a point of access for the user to 
the computing environment by using a control point identifier, 

- determine if there is a control point associated with the user existing at the 

point of access, 

- copy, if there is no such control point at the point of access, the control point 

to the point of access, 

- activate the control point, and 

- connect the control point with a device, such that the user can access services 
j&om the device in dependence of the rights granted to him. 

1 8 . Con5)Uter program element for creating a control point associated with a user 
in a computing environment having a networking connectivity model, said con?)Uter program 
element comprising: 
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computer program code means^ to make the computer execute, when said 
program element is loaded in Ibe con^uter: 

- generate a control point identity for the user based on a public key associated 

with the user, 

5 - provide at least basic control point functionalities, and 

- store the control point identity and the functionalities as a control point such 
that the user can operate any device he is allowed to in the computing environment fix)m any 
physical entity where the control point is enabled. 

10 19. Computer program element for accessing services provided by a device in a 

computing environment having a networking connectivity model: 

computer program code means, to make the computer execute, when said 
program element is loaded in the computer: 

- identify a user wanting to access services at a point of access for the user to 
15 the computing environment by using a control point identifier, 

- determine if there is a control point associated with the user existing at the 
point of access, 

- copy, if there is no such control point at the point of access, the control point 
to the point of access, 

20 - activate the control point, and 

- connect the control jjoint with a device, such that the user can access services 
ficom the device in dependence of the rights granted to him. 
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ABSTRACT: 



The present invention relates to a method, apparatus, computer program 
product and computer program element for creating a control point associated with a user in a 
computing environment having a network connectivity model, a method apparatus, computer 
program product and computer program element for accessing services provided by a device 
5 in such an environment A control point is created for a user including a control point identity 
(step 46) based on a pubUc key of the user and control point jfixnctionalities (step 48). The 
control point is stored (step SO) such that the user can operate any device from any physical 
entity or point of access where the control point is activated. 
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Fig. 5 
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GENERATE CONTROL POINT EDENTITY BASED ON 
PUBUC KEY OF USER 



PROVIDE NORMAL CONTROL POINT 
FUNCTIONALITIES 



STORE CONTROL POINT IDENTITY AND 
FUNCTIONALITIES AS CONTROL POINT IN 
CONTROL POINT STORE 



RG.5 



PHNL031313 



3/3 



52' 



1 DENTI FY A USER REQUESTI NG ACCESS TO 
^ SERVICES 
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DETERMI NE 1 F A USER CONTROL POI NT EXISTS 
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COPY CONTROL POINT IN CASE NO SUCH CONTROL 

POINT EXISTS 
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ACTIVATE CONTROL POINT 
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REGISTER CONTROL POINT AT SECURITY CONSOLE 
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GRANT PERMISSION TO CONTROL POINT BY SECURITY 

CONSOLE 
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CONNECT CONTROL POINT WITH DEVICE 
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